Used as user shell to allow developers jump into their containers using ssh
- simple and effective ACL, just run the container with
-l owner=myuser
or-l group=mygroup
- access to all containers if you are member of
jumpshell-all
group (besidejumpshell
group) - opens all owned containers in
tmux
windows - interactive picker
ssh -t myuser@remote picker
- scriptable non-interactive mode
ssh myuser@remote mycontainer cat /etc/hosts | wc -l
- tail container logs
ssh myuser@remote docker_logs mycontainer | grep ERROR
- and with log picker
ssh -t myuser@remote docker_logs
- developers are NOT granted access to host
- developers are NOT granted access to docker socket
- developers can NOT execute random docker commands
- only listing owned containers and exec inside owned containers is allowed
- only containers having special labels are allowed
sudo
is only to a simple helper script that do the above checks
- Can I use it with mosh?
- yes, it just work
- Can I use it to create tunnels to a container port?
- yes
ssh -L 8080:<CONTAINER_IP>:8080 -t myuser@remote picker
(don't forget-t
)
- yes
- How can I receive a file from the container?
- simply
cat
it, like thisssh myuser@remote mycontainer cat /path/to/myfile > ./myfile
- simply
- How can I send a file to the container?
- simply
cat
it, like thisssh myuser@remote mycontainer bash -c "cat > /path/to/myfile" < ./myfile
- simply
- How can I receive a directory from the container?
- simply
tar
it, like thisssh myuser@remote mycontainer tar -czf - /path/to/mydir | tar -xzf - -C .
- simply
- How can I send a directory to the container?
- simply
tar
it, like thistar -czf - . | ssh myuser@remote mycontainer tar -xzf - -C /path/to/mydir
- simply
- Is it possible to
scp
?- no, use
tar
trick above
- no, use
- Is it possible to
rsync
overssh
?- no, use
tar
trick above
- no, use
- How to remove access from a user? I can't remove docker label!
- remove the public key from
authorized_keys
- or remove the UNIX user from
jumpshell
group
- remove the public key from
- Can I define custom shell?
- yes, pass
-l shell=/full/path/to/shell
- no need to define it for
bash
andsh
- yes, pass
- I have running countainers without labels how I access them?
- add your user to
jumpshell-all
group.
- add your user to
- docker with label support
- tmux
- whiptail
Just place them in a place like /usr/local/bin/
cd /usr/local/bin/
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell-helper.sh
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell.sh
chmod +x docker-jumpshell*.sh
create a group to be allowed to jump into their owned docker containers
groupadd jumpshell
add the following to /etc/sudoers.d/docker-jumpshell
Defaults !requiretty
%jumpshell ALL=(ALL) NOPASSWD: /usr/local/bin/docker-jumpshell-helper.sh
add the user, make his shell be the script, run a container of your choice named after the user
useradd myuser
usermod -a -G jumpshell myuser
chsh -s /usr/local/bin/docker-jumpshell.sh myuser
docker run -d -t --restart=always --name=my-fedora -l owner=myuser fedora/systemd-systemd
docker run -d -t --restart=always --name=my-ubuntu -l owner=myuser ubuntu-upstart:trusty
add public keys to /home/myuser/.ssh/authorized_keys
and make sure they have right permissions
sudo -u myuser /bin/bash -l
mkdir -p /home/myuser/.ssh/
vim /home/myuser/.ssh/authorized_keys
chmod 700 /home/myuser/.ssh/authorized_keys
chmod 644 /home/myuser/.ssh/authorized_keys
now you can execute commands in the container or have interactive shells on it
ssh -t myuser@remotebox picker
ssh -t myuser@remotebox my-fedora
ssh myuser@remotebox my-fedora cat /etc/hosts
ssh myuser@remotebox
in tmux
use
CTRL+B n
to move to next window,CTRL+B c
to create a new windowCTRL+B d
to detach
members of group jumpshell
are allowed to sudo
the helper script.
the helper script is a simple secure script that
- sudo itself if not root
- accept only two commands
ls
andexec
ls
would list all containers having labelowner=<USER>
orgroup=<GROUP>
exec
is followed by container idexec
validates that the given container have the suitable label (authorize)exec <ID>
would run interactive bash inside the given containerexec <ID> <COMMAND>
would runbash -c "COMMAND"
inside the given containerlogs <ID>
tail and follow logs of given container
the shell of the desired user is set to docker-jumpshell.sh
which has more complex logic but it's safe because the user can't sudo
it
the shell is executed when users access it remotely via ssh
If a container is to be accessed by more than one user,
create a UNIX group for that by typing groupadd jumpshell-mygroup
then add users to that group, then run your docker containers with label group=mygroup
NOTE: we have added jumpshell-
prefix to UNIX group name
that is omitted from docker label. The reason behind this
is to allow you so that UNIX admin
is not jumpshell-admin